Aaron- On Oct 21, 6:30 pm, "Aaron Swartz" <[EMAIL PROTECTED]> wrote: > I think it's reasonable to keep information in a DB tied to an > account, since someone can log back in from somewhere and get at the > data. Whereas you can't log back into your session if you trash your > cookies.
Yes, that's key -- "session state" state is hidden from the web (thus not RESTful). On the web, things (resources) need to have a name (URI). As you say, a URI that allows an authorized user to get back at the resource is completely RESTful. Roy Fielding (the fellow who coined "REST") makes a distinction between resource state and application state. Resource state is "owned" by the server and application state is (should be!) "owned" by the client. A cookie that simply points to a hidden resource on a server by way of a session token means the client does not really control that resource. It's a loss of control for the client and a loss of opportunity (that resource cannot be serendipitously reused) for the server. Lots more good discussion on this on the rest-discuss list. Excellent REST gurus there include Roy Fielding, Mark Baker, Aristotle Pagaltzis, Bill DeHora, etc. --peter keane --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to webpy@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/webpy?hl=en -~----------~----~----~----~------~----~------~--~---
